| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Apr 2006 12:34:42 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: CuteNews 1.4.1 <= Cross Site Scripting
>Exploit:
>http://www.example.com/index.php?mod=editnews&action=editnews&id=1145397112&source=[XSS]
This XSS is likely resultant from a more serious issue in which the
$source variable is not being validated, so it is subject to attacks
such as directory traversal. Given the program's assumption of the
file format, it is possible that only portions of certain files could
be read. The "doeditnews" action does overwrite this same file, so it
could also be used at least for file corruption. However, this is all
based on source analysis; I did not test this.
from inc/editnews.mdu in CuteNews 1.4.1:
elseif($action == "editnews")
{
// Show The Article for Editing
if($source == ""){ $all_db = file("./data/news.txt"); }
elseif($source == "postponed"){ $all_db = file("./data/postponed_news.txt"); }
elseif($source == "unapproved"){ $all_db = file("./data/unapproved_news.txt"); }
else{ $all_db = file("./data/archives/$source.news.arch"); }
$found = FALSE;
foreach ($all_db as $line)
{
$item_db=explode("|",$line);
if ($id == $item_db[0]){ $found = TRUE; break;}
}//foreach news line
and later:
elseif($action == "doeditnews")
{
[SNIP]
else{ $news_file = "./data/archives/$source.news.arch"; $com_file = "./data/archives/$source.comments.arch";}
$old_db = file("$news_file");
$new_db = fopen("$news_file", w);
- Steve
Powered by blists - more mailing lists